Bugtraq mailing list archives

RE: Crystal Reports Vulnerabilities

From: "Imperva Application Defense Center" <adc () imperva com>
Date: Tue, 4 May 2004 18:02:43 +0200

Just a short update.
Shortly after sending this mail we have been contacted by their Product
Manager.
BusinessObjects are now addressing the problem, and we are waiting a
patch to be issued so the technical details of the vulnerability can be
disclosed.

Sincerely,

Ofer Maor
Application Defense Center Manager
Imperva(tm) Inc.

-----Original Message-----
From: Michael Ray [mailto:miker () cotse com] 
Sent: Tuesday, May 04, 2004 4:35 PM
To: Imperva Application Defense Center
Cc: bugtraq () securityfocus com
Subject: Re: Crystal Reports Vulnerabilities


On Sun, 2 May 2004 10:28:21 +0200, you wrote:

Dear List,

Imperva(tm)'s Application Defense Center has discovered several 
vulnerabilities in BusinessObject's Crystal Reports' Web Interface. 
These vulnerabilities allow a potential hacker to retrieve and delete 
any file from the file system of the server on which it runs, as well 
as causing a complete denial of service to the server.

In the past week, we have attempted to contact BusinessObjects in order

to provide them the details of the vulnerability, so that a patch can 
be issued by them to solve the problem. Since we were unable to find 
any security-specific contact, we have attempted to notify them through

all known support email addresses, the support contact form on their 
site, and several standard email addresses, such as info, support, 
security, etc.

Sadly, none of these attempts has succeeded. We therefore send it in 
here, hoping this list is read by anyone related to BusinessObjects or 
by anyone who knows how to contact their security related staff. Any 
assistance in contacting the right person would be appreciated.

Sincerely,

---
Ofer Maor
Application Defense Center Manager
Imperva(tm) Inc.
http://www.imperva.com/adc/


Our Business Object's  representative was contacted but was not aware of
any security related issues. The email was forwarded to them and they
said they would be contacting Imperva.

Thanks,

Mike

Current thread:

Crystal Reports Vulnerabilities Imperva Application Defense Center (May 03)
- Re: Crystal Reports Vulnerabilities Michael Ray (May 05)
- <Possible follow-ups>
- RE: Crystal Reports Vulnerabilities Imperva Application Defense Center (May 05)